IETF Logo Mail Archive

Re: [sidr] Levels of BGPsec/RPKI validation, was: Re: [Idr] wglc for draft-ietf-sidr-bgpsec-protocol-11

Geoff Huston <gih@apnic.net> Wed, 29 April 2015 04:58 UTC

Return-Path: <gih@apnic.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C9DB1AC40B for <sidr@ietfa.amsl.com>; Tue, 28 Apr 2015 21:58:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.801
X-Spam-Level:
X-Spam-Status: No, score=-101.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GjUCmibXaq1B for <sidr@ietfa.amsl.com>; Tue, 28 Apr 2015 21:58:15 -0700 (PDT)
Received: from ia-mailgw.apnic.net (ia-mailgw.apnic.net [IPv6:2001:dd8:a:851::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7AA41AC411 for <sidr@ietf.org>; Tue, 28 Apr 2015 21:58:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=c3po; h=received:received:content-type:mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to:x-mailer:return-path: x-originating-ip; bh=JgOOwQe+k5ce77NF9Ne6/zTL2HTqYmqzL4E9knEpjEY=; b=hPRaGbOzpwGUQBmpOy14/vCA/rEYJ5IUOLRq2dlOj43fXY4AbEr9WJrqojr6vrP8Eev+Nv09HlLIP O3zQU9ctQcu0JLJ2FwZuYYpdNcwf+ZJBY5BPaWUDrEymV0G4jxuv7IwMle0qtabDjpPo6mIgolR7Dy ed+k8iWzfcT9Frr0=
Received: from NXMDA2.org.apnic.net (unknown [203.119.101.249]) by ia-mailgw.apnic.net (Halon Mail Gateway) with ESMTPS; Wed, 29 Apr 2015 14:58:10 +1000 (AEST)
Received: from [192.168.1.47] (203.119.101.249) by NXMDA2.org.apnic.net (203.119.107.21) with Microsoft SMTP Server (TLS) id 14.1.218.12; Wed, 29 Apr 2015 14:59:27 +1000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <ECDAD8F2-1C27-4494-887C-59280D7FF973@muada.com>
Date: Wed, 29 Apr 2015 06:57:57 +0200
Content-Transfer-Encoding: quoted-printable
Message-ID: <B1A1BA45-8C57-45F2-907D-B9DEBF2B9820@apnic.net>
References: <4C184296-F426-40EF-9DB6-3AE87C42B516@tislabs.com> <91148102-DADB-42E8-96A0-E89120642894@tislabs.com> <ECDAD8F2-1C27-4494-887C-59280D7FF973@muada.com>
To: Iljitsch van Beijnum <iljitsch@muada.com>
X-Mailer: Apple Mail (2.2098)
X-Originating-IP: [203.119.101.249]
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/XZGutftjmb88EC4pUl2JZ-RLOjA>
Cc: "idr@ietf.org wg" <idr@ietf.org>, sidr@ietf.org, George Michaelson <ggm@apnic.net>, Sandra Murphy <sandy@tislabs.com>
Subject: Re: [sidr] Levels of BGPsec/RPKI validation, was: Re: [Idr] wglc for draft-ietf-sidr-bgpsec-protocol-11
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2015 04:58:17 -0000

Hi Iljitsch,

> But now what if a certificate expires? We know from the web that this is extremely common. If an expired certificate means the prefixes involved are marked invalid, this means that filtering invalids becomes very problematic: not only will prefixes randomly drop off the net as people forget to generate or install certificates or RPKI caches get stale, but if things get really bad the resulting lack of connectivity makes it impossible to correct the problem…
> 
> So what we need is for expired certificates to make the affected prefixes revert to unknown rather than invalid. Turns out, that's what happens today:
> 
> http://mailman.nanog.org/pipermail/nanog/2014-December/071907.html
> 


yup, becuase an expired certificate is not used for validation of ROAs, so a route object that is only referred to by a ROA that cannot be validated is “unknown” in this taxonomy. It is not “invalid" by virtue of an expired certificate.


> However, unless this is specified in one of the related documents other than the three mentioned above, this seems to be an implementation choice.


to quote RFC6483: 

  "It is assumed here that a relying party (RP) has access to a local
   cache of the complete set of valid ROAs when performing validation of
   a route.  (Valid ROAs are defined as ROAs that are determined to be
   syntactically correct and are signed using a signature that can be
   verified using the RPKI, as described in [RFC6482].)

i.e. the route validation process that produces this set of valid, invalid and unknown outcomes is based on the set of valid ROAs. ROAs that cannot be validated (i.e. due to expired certificates and other causes) are not considered in the route validation process described in RFC6483.

 
> 
> I think the above issue needs to be discussed in an update of RFC 6483 or in one of the BGPsec documents.


It’s not clear to me that any further text needs to be added to RFC6483. The underlying process is one based on examination of the route feed and comparing each received route object to a collection of attestations and authorities that have been validated by the relying party as trustable.

> 
> And there's probably a bit more to think about: wouldn't it make sense to be able to filter on the signature algorithm at some point during the transition from one algorithm to the next? Or to be able to filter on "expired" explicitly? A binary valid/invalid isn't enough. Valid/unknown/invalid is workable, but maybe four or five levels is even better.
> 
> (And have a look at how this works in practice: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-m1.html search for PEX.)
> 


regards,

   Geoff

v2.23.0 | Report a Bug | By Email